[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Krypto-Paper

Hier die Antwort von Marc Rotenberg von EPIC 



At 12:19 14.10.1998 +0200, Chr. Schulzki-Haddouti wrote:
>Dieses Papier wurde gestern beim DIHT umhergereicht.
>Zentral: Die veraenderte Haltung in Sachen "Key Recovery Agents"

>Date: Sat, 17 Oct 1998 16:30:28 -0400
>From: Marc Rotenberg <rotenberg@epic.org>
>Subject: Re: [FYI] Aaron and data protection
>To: gilc-plan@gilc.org
>Reply-To: gilc-plan@gilc.org
>>Does David Aaron calls for privacy?
>No. Somewhat detailed comments below.
>>16 October 1998
>>See related Aaron speech on encryption policy:
>>USIS Washington File
>>16 October 1998
>>(Sees "significant overlap of principles" between US, EC) (1670)
>>Brussels -- Under Secretary of Commerce David Aaron told reporters
>>here October 15 that the United States and Europe "have gotten to a
>>significant, if not identical overlap of basic principles on what
>>needs to be done to protect privacy" of electronic data.
>This is contrary to the impression conveyed by Bangemann and
>Daley at the OECD Ministerial conference last week in Ottawa.
>It is also contrary to comments made to me by members of the
>Commission and representatives of US firms involved in the
>negotation. In fact, at a Brookings conference yesterday where
>a new book on the impact of the EU Directive was released,
>one of the co-authors who is largely sympathetic to the US
>position, said he thought the problem was "intractable."
>>"I think we have reached the stage where we need to actually begin a
>>real negotiation, where we can begin trying to hammer out an agreement
>>that would on the one hand ensure European customers, European
>>individuals, that their data being transmitted across the Atlantic --
>>that they could have confidence that it would be protected adequately
>>(and) on the other hand, where our companies would be in a position
>>that, if they adopted certain practices and principles, that they
>>would feel that they were safe and doing what was required under the
>>[European] Data [Privacy] Directive and they would not be subject to
>>suits," Aaron said.
>>Following is transcript of U.S. Under Secretary of Commerce David
>>Aaron press briefing on data privacy discussions:
>>(Begin transcript)
>>Press Conference
>>October 16, 1998
>>I can say this: we have been meeting with the Commission now for
>>roughly seven months at least and we probably have had four, five,
>>maybe six meetings at my level and innumerable sessions both in person
>>and by video and by e-mail at other levels, and I think it's fair to
>>say that these have been, first of all, consultations and not
>>negotiations. I think that is a very important point, because what we
>>have been trying to accomplish is to see if we had a meeting of the
>>minds as to how to increase and protect the privacy of our citizens,
>>and secondly on how we could ensure that data would continue to flow
>>across the Atlantic when the European Data Privacy Directive came into
>>effect. And those really have been our principal goals.
>The US has been trying to kill the Directive since well before it
>was adopted.In fact the involvement of the US government goes back
>to at least 1991. In the early stages, the US tried to coordninate
>efforts to gut or significantly dillute the privacy law. US
>officials coordinated meetings on behalf of Readers Digest,
>the Direct Marketing Association and others with colleagues
>in Brussels to try to persuade European officials to revise
>certain key parts of the directive. Briefing papers prepared
>for and paid by the DMA were circulated by offcials from the
>US State Department as if they represented positions of the
>US goverment.
>>As we have discussed in effect the European approach, criteria, and so
>>forth and our approach, I think it's fair to say that we have come to
>>see that there is a significant overlap in our approaches even though
>>our procedures and our structures are very different.
>The European approach is based fundamentally on the establishment
>of a legal framework to enforce privacy rights. It builds
>on principles contained in the the 1980 OECD Privacy Guidelines
>and also reflects certain attributes of European data protection,
>particularly approached from the German and French experience.
>The current US approach relies on "self-regulation" that is
>essentially notice and consent mechanisms. There is no
>presumption of a right nor any guarantee of enforcement.
>It is difficult to conceive of two approaches to privacy
>protection that are more different in their purpose or
>>As I have explained to our European friends, the concept of an overall
>>law that defined one's privacy, that established data commissioners
>>who would implement and otherwise define what is permissible and what
>>is not permissible in terms of the exchange of personal data, all of
>>that would be regarded in the United States as an invasion of privacy.
>There is a certain amount of cynicism required to characterize
>an effective privacy regime as "an invasion of privacy." Proposals
>for comprehensive privacy laws in the United States go back to
>1974 and virtually every scholar and commission that has looked
>at privacy in the US since has recommended the creation of
>an independent privacy agency. (My own contribution to this
>long tradition was published in 1991 in Government Information
>>So we have a very different approach which is a mixed approach, that
>>involves law -- in the case of financial information, regulation -- as
>>it applies to financial information and information about children,
>>regulation -- as it applies to, again, financial information and
>>medical information and some other categories, and self-regulation.
>>All of this in the context in which self-regulation takes place in the
>>context of our fraud statutes and the responsibility of the Federal
>>Trade Commission to pursue misrepresentation and deceitful practices.
>Based on this description, it could be said that the US has a
>"mixed up" approach. The simple statement would be that the
>US has a sectoral approach, which means simply that certain
>activities in the private sector are covered and others are
>not. But the problem with this characterization is that it
>begs the question why all sectors shouldn't be covered. So,
>the US officials turn to word games.
>>So we have a mixed situation which is more complicated. In the course
>>of these conversations, I think the privacy situation in the United
>>States has evolved dramatically. We now have at least three online
>>privacy services that are available to businesses, that establish
>>systems, principles and procedures to ensure people's privacy, that
>>respond to the basic elements of affected privacy which the Clinton
>>Administration promulgated in January, and which provide for
>>independent dispute resolution, and that sort of thing.
>Aaron is referring to Truste, the Online Privacy Alliance,
>and the Better Business Bureau privacy intiative. Regarding
>Truste, the group quickly moved from its more reliable
>system of seals that, for example, guaranteed anonymity,
>to one where any privacy policy goes. I've tried to explain
>to Esther Dyson on several occassions that the whole purpose
>of certification is to provide some level of quality
>assurance. But Truste pretty much ignored that approach
>to build a broader auidence for its services.
>Which is particularly disturbing since Truste is probably
>the best of the three. There is no indication that the
>privacy Alliance has any review mechanism. It's not even
>clear if the group will continue beyonf the end of this
>year. The BBB program doesn't even exist, and that group
>has already decided that the BBB privacy seal will be
>independent of a regular BBB association.
>>As we have drawn upon this evolving situation in the United States, we
>>tried to compare our basic elements with their views of what is
>>adequate privacy protection, and I think we have gotten a significant,
>>if not identical, overlap of basic principles on what needs to be done
>>to protect privacy.
>Anyone who has followed the negotiations over the last few month
>knows that there has been virtually no progress on the key issues
>-- access to records and enforcement. The US officials continue
>to whine that access is too expensive and cannot be justified
>on a cost benefit basis. The problem of enforcement is usually
>answered with vague references to the FTC, which has the
>authority to investigate fraudulent and deceptive trade
>practices but not to enforce codes of fair information practices.
>>Now, I think we have reached the stage where we need to actually begin
>>a real negotiation, where we can begin trying to hammer out an
>>agreement that would, on the one hand, ensure European customers,
>>European individuals -- that their data being transmitted across the
>>Atlantic -- that they could have confidence that it would be protected
>>adequately, on the other hand, where our companies would be in a
>>position that if they adopted certain practices and principles, that
>>they would feel that they were safe and doing what was required under
>>the Data Directive and they would not be subject to suits and so
>Aaron is trying desperately to get a commitment from the European
>Commission to state explicitly that the US satisfies the Article
>25 "adequacy" requirement in the EU Directive. He and Magaziner
>have pursued a high risk strategy. Rather than to propose privacy
>legislation as other countries have done in response to the
>EU effort -- Canada announced its plans for legislation on the
>eve of the Ottawa summit -- the US is trying to find a non-
>legislative solution that will leave companies happy and
>consumers mollified. But in the three or so years that this
>effort has gone forward, privacy concerns in the US have been
>on the rise and US companies have become increasingly
>concerned about the concequences of enforcement of the
>>That's sort of where we are. The Commission now is consulting with
>>member states; they are going to have some meetings that are scheduled
>>over the next few weeks, and we are hopeful that, based on those
>>consultations, they will be able to move to the stage of actual
>>negotiations and working out promptly the necessary agreements or
>>arrangements, however they might be expressed.
>It's a very interesting open-ended process, reflecting both the
>nature of the evolving European institutions and the specific
>structure envisaged in the Data Directive. Even if the Commission
>and the Article 31 Working group were to agree in principle
>that the US satisfies the adequacey requirement, it is unlikely
>that the Commission could prevent individual member states
>from taking action based on either the authority established
>by the Directive or on independent national law. The Directive
>does anticipate a consultation process among the EU countries
>to ensure some consistency in determinations about data flows.
>>Question: Can you explain to us how exactly these sort of safe
>>harbors, or sort of voluntary agreements, would work ?
>>Under Secretary Aaron: I think the idea is this. If, for example, the
>>Commerce Department sets forth a set of principles that companies
>>could adhere to and procedures that companies could adhere to, and if
>>those principles and procedures were deemed to be adequate by the
>>European Union, then these companies would be in a "safe harbor." In
>>other words, they would have done things necessary to conform to the
>>European Union's view of what is adequate privacy protection. Now,
>>that wouldn't necessarily protect them from complaints, because that
>>could happen -- nobody can keep that from happening -- but the
>>practices themselves would not be the issue, the issue would be is the
>>company actually doing what it says it is doing.
>>Question: What's the significance of moving to a formal negotiation as
>>opposed to talks, I mean, will you now come forward then with formal
>>proposals, or how does it affect...?
>>Under Secretary Aaron: I think that's the point. The Commission has
>>not been negotiating. We have put forward some ideas and they have
>>said, "That's interesting," and now we need to get a real response
>>from them. Do they think this is the right way to go? Is safe harbor
>>really something that they think is -- can we get down to the real
>>process of working something out in concrete terms?
>>Question: Have you given them some proposals, some concrete proposals
>>Under Secretary Aaron: We have raised these ideas, but we haven't
>>given them concrete proposals in the negotiating sense because they
>>haven't reached that stage yet.
>Aaron already tipped this card. The US has proposed a safe harbor
>approach based on the psoting of a privacy policy and some means
>of independent verification. This fits with the Truste,
>Privacy Alliance effort. But the Commission has looked at
>these two programs and generally been unimpressed.
>For those with short memories, less than a year ago, US
>officials were telling their European colleagues that
>P3P would solve the privacy problem and they anticipated
>wide adoption in the US.
>>Question: But is this the next step, then, that the Commerce
>>Department will draw up these principles, or have you already done
>>that ?
>>Under Secretary Aaron: No, we would have to elaborate those, and we
>>would have to formally present them. I think the next step before that
>>would be for the Commission to get support from the member states in
>>moving forward in this direction, and that's what they are seeking
>>now. You know, these principles are not a mystery; they are contained
>>in the practices of these online privacy alliances. They are contained
>>in our basic elements; it's a matter of reducing that to real
>Aaron may be saying more than he intends. The European would
>like to see the principles that have been articulated enforceable
>in law. That could explain the reference to "real language."
>But that would be going further than the US intends to go
>at this point.
>>Question: Do you have a guarantee that the third parties, which
>>oversaw the safe harbors, were conforming to -- the safe harbors were
>>indeed doing what they were meant to be doing? Would the government
>>have to guarantee that or would it be banks or trusted organizations
>>who could do that job ?
>>Under Secretary Aaron: I think our view is that there are three ways
>>that that could be done. One is that the companies could get together
>>and create an independent body that would do that, and that's sort of
>>what these online privacy groups do.
>>The second is that some of our industries are very heavily regulated -
>>that's the banking sector, that's the insurance sector and so forth,
>>where a lot of personal information is transmitted. They are very
>>heavily regulated and in effect that regulation would serve that same
>>The third, of course, is that the companies could offer -- it seems to
>>us, this is just our idea -- but the companies could offer to
>>cooperate with the European data protection authorities to give them
>>this assurance.
>This approach is already well underway. Citibank negotiated with
>Berlin data protection authority following the blow-up over the
>German railway card. The outcome was a negotiated contract between
>a US firm and a European privacy agency. Similar proposals have
>been made in either sectors. The advantage of this approach for
>the firms is that it provides some genuine assurance. The lawyers
>also look it because it create new business for privacy contacts.
>But it favors large, established enterprises over smaller ones,
>and is costly to administer. EU officials have argued that over
>the long term it would be cheaper and easier for both sides
>if simple sectoral laws were passed. Some US firms agree.
>>Question: The Commission seems to be saying that the most important
>>thing is that there be enforcement. They don't want some voluntary
>>codes that aren't enforced and they cite evidence that in the U.S.
>>their problem is with actually companies living up to the commitment
>>that they're making.
>This is a hardly a new problem. The study by Reidenberg and
>Schwartz found that only half of the members of the Direct
>Marketing Association followed the DMA'a own privacy guidelines.
>A more recent study by EPIC found that few of the DMA's new
>members posted a privacy policy, even after the DMA said that
>posting such a policy would be a condition of membership.
>>Under Secretary Aaron: I guess one of my responses to that is, that's
>>certainly true in Europe as well. We just came from Germany where the
>>federal data protection officer was talking just about things at the
>>federal level, which means the government's own actions. They have
>>3,000 complaints a year, so this problem is by no means limited to
>>U.S. companies. We believe that there should be some independent
>>process here, and that's a point that I think represents an evolution
>>in our thinking.
>Turn the argument around. This is one of the favorite tactics
>of US negotiators when they reach a tough spot in the debate
>over privacy protection. Ira Magaziner was fond of saying that
>the Europeans were not serious about enforcing the Directive,
>until he learned otherwise.
>>I also might add that, in addition to that, the FTC (Federal Trade
>>Commission) itself has made clear to the Commission that claims that
>>the companies might make as to their privacy practices, if they proved
>>to be untrue, would be -- in Europe, vis-a-vis Europeans -- would be
>>treated just as that same sort of fraudulent or deceitful practice
>>would be in the United States, and it would be subject to FTC
>>investigation and action.
>Interesting concept. The US has argued from the start that the
>Europeans should not be able to exercise authority over activities
>in the US, and has threatened to go to the WTO if the negotiation
>breaks down. But here the US is threatening FTC review of European
>consumer practices. Does this mean the Europeans will go to the
>WTO over FTC authority? This could get very interesting.
>>Question: What's coming up on the 26th? Are we going to have any data
>>Under Secretary Aaron: I would hope not. Certainly, we have had a very
>>cooperative, very constructive set of meetings here and I think we are
>>moving along in a genuine mutual problem solving mode here.
>It is true that the US has spent a lot of time trying to find
>a solution to the problems that enforcement of the
>There were a number of US firms, for example in the financial
>sector, that said legislation might be the best solution as
>it would quickly resolve
>But the US team -- David Aaron, Ira Magaziner, Barbara Wellbury
>-- had a better idea. Posting privacy polices and notice
>and consent. There is little support for this approach outside
>of the participants, but that hasn't slowed the campaign.
>It was not too long ago that David Aaron also headed the
>US effort to build support for the US key escrow proposal.
>And when he spoked at the RSA conference in January 1998
>it was with the purpose of trying to persuade attendees
>that the US was actually responding to the pressures of
>foreign governments to establish techniques for law
>enforcement access.